[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Waters wrote:
But what good is that if you dont know what the data is! Its hard to explain without seeing it in action but so what if you have 400 key strokes if you dont know what they relate to, and more importantly how to encrypt them to send them back usefully. Or what if no keystrokes are required - click on the characters in this captcha - ok a fake site could be used but not if it couldn't provide the user with certain information - its not just the server that should ask for certain info, the client would be well advised to too.tom wrote:Because the intercepted data means nothingIf your PC is compromised data can be intercepted before it is encrypted. Key logger, or just redirect you to a fake site (you couldn't tell).
Only if used simply - and cardboard boxes can actually stop you being hurt from a very great fall while landing on the armoured truck would kill you.Look up Spafford's armoured truck analogy. Encryption is irrelevant with compromised PCs.
But again - you might not be able to but the server end can and this information can be required as part of the transaction so the whole thing can be made null and void so nothing is lost in the immediate transaction. The interloper cannot tell if any information it received is of any value and can be picked off quite quickly, or reduced to tears which is the much more fun option.Current SSL ciphers are plenty strong enough for most individuals banking need (Bill Gates may feel differently), but it is is all pointless if you can't trust the PC you are using. If your PC is compromised you can for example no longer trust the list of certificate authorities. A great example of this are the antivirus
Tom te tom te tom -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html